Nintendo downplays Wii U 'hidden control panel' hack fears

A video games fan claims he accidentally hacked into the online environment (Miiverse) of Nintendo's latest game console, the Wii U.

A gamer called Trike claims he stumbled across a secret debug menu in the Miiverse that gave him access to a list of administrators and a control panel, hours after the US release of the console on Sunday. Snapshots posted by the gamer suggest he might have inadvertently scored access to controls that would have allowed him to delete access rights to Japanese administrators of the network or re-issue passwords.

However Nintendo said that the supposed "debug menu" was actually a "mock-up", not a live system.

"It has come to our attention that some people were able to access a mock up menu on Miiverse following the launch of Wii U in the US," Nintendo told Games Industry International. "Please note that this was only a mock up menu and has now been removed and is not accessible."

Trike said he made no attempt to abuse the supposed super-user rights he had inadvertently stumbled upon. Significantly, he also claims to have come across private message and pre-launch user forums in the Miiverse.

"At first it asked me to sign in, because my login information didn't match," Trike explained. "Then I pressed a button and it sent me to a list of admins anyway. They had buttons in the same row as the names, and I could "regenerate password" or "Delete Admin" or something along those lines. I didn't do it it because I didn't want to risk getting my god damn Wii U banned on day 1."

Trike asked for help in passing on his surprise finding to Nintendo "directly without going through their customer service email crap", as he put it. The gamer reported his discovery in a posts to the NeoGAF gaming forum, alongside snapshots taken from a mobile phone that appear to depict Miiverse control panels, as evidence of the apparent (since denied) security breach.

The gamer further claimed he was able to view private messages sent by other online gamers as well as hidden forums intended for discussion of upcoming (unannounced) games such as Yoshi's Island Wii U.

Feedback to these posts was largely along the lines of "Delete everything, make yourself an admin and RULE THE MIIVERSE", to quote one post.

Chris Boyd (AKA PaperGhost), senior threat researcher at GFI Software, and an expert in gaming security, played down the practical significance of the incident to game fans.

"On this occasion it's probably nothing to worry about, although it's unusual for such a menu to be so easily accessible - typically mock ups are kept on their own private network (sometimes requiring development kits to operate), or offline altogether<" Boyd told El Reg.

Nintendo's US tentacle announced it was running maintenance on its network on Monday morning, before later advising customers not to turn off their console during the update process.

So many Miis have jumped on Miiverse that some may be having problems connecting to the service. We are in the engine room getting it fixed!

This Twitter post makes no mention of removing access to the mock up menu but access to this facility was blocked following the update.

The security of gaming networks has become a bigger issue since the Playstation Network hack that spilled names, addresses, email addresses, birthdays and user login credentials of million of gamers last year. PSN was taken offline for more than a month to sort of the resulting mess.

The Nintendo breach is small beer by comparison, notes Graham Cluley of Sophos in a blog post on the apparent Miiverse snafu.

"Is the apparent security snafu damaging to Nintendo? Probably not. They appear to have resolved the issue quickly, and there is no suggestion that sensitive information was stolen from users, unlike last year's Sony PlayStation network hack where hackers stole the personal data of millions of people," Cluley writes. ®